diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 7b7d5d7..4c0ba74 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -7,7 +7,7 @@ variables: DOCKER_IMAGE_PUBLISH_NAME: 'docker-glpi' DOCKER_IMAGE_PUBLISH_REGISTRY: docker.io/nofusscomputing DOCKER_IMAGE_PUBLISH_URL: https://hub.docker.com/r/nofusscomputing/$DOCKER_IMAGE_PUBLISH_NAME - PAGES_ENVIRONMENT_PATH: projects/docker_glpi/ + PAGES_ENVIRONMENT_PATH: projects/glpi/ include: - project: nofusscomputing/projects/gitlab-ci diff --git a/.gitmodules b/.gitmodules index cc4d8a5..de6bfdd 100644 --- a/.gitmodules +++ b/.gitmodules @@ -2,3 +2,7 @@ path = gitlab-ci url = https://gitlab.com/nofusscomputing/projects/gitlab-ci.git branch = development +[submodule "website-template"] + path = website-template + url = https://gitlab.com/nofusscomputing/infrastructure/website-template.git + branch = development diff --git a/dockerfile b/dockerfile index d6cbf9d..3fd6fcb 100644 --- a/dockerfile +++ b/dockerfile @@ -88,11 +88,15 @@ COPY --from=prepare /tmp/glpi /var/www/html RUN chown www-data:www-data -R /var/www; \ - ln -s /var/www/html/bin/console /bin/console; + ln -s /var/www/html/bin/console /bin/console; \ + touch /apache-passwd-glpi-inventory; \ + chown www-data:www-data /apache-passwd-glpi-inventory; \ + chmod 740 /apache-passwd-glpi-inventory; VOLUME /var/www/html/config VOLUME /var/www/html/data +VOLUME /var/www/html/files VOLUME /var/www/html/plugins VOLUME /var/www/html/marketplacey VOLUME /var/log diff --git a/docs/articles/index.md b/docs/articles/index.md new file mode 100644 index 0000000..e69de29 diff --git a/docs/contact.md b/docs/contact.md new file mode 100644 index 0000000..e69de29 diff --git a/docs/index.md b/docs/index.md new file mode 100644 index 0000000..e69de29 diff --git a/docs/operations/index.md b/docs/operations/index.md new file mode 100644 index 0000000..e69de29 diff --git a/docs/projects/glpi/index.md b/docs/projects/glpi/index.md new file mode 100644 index 0000000..2508a24 --- /dev/null +++ b/docs/projects/glpi/index.md @@ -0,0 +1,181 @@ +--- +title: Dockerized GLPI +description: How to use No Fuss Computings docker container GLPI. +date: 2023-08-29 +template: project.html +about: https://gitlab.com/nofusscomputing/projects/ansible/docker-glpi +--- + +This docker container contains GLPI and is intended to be production ready and requires minimal configuration to use. + +!!! info + **TLDR** The docker container is available on dockerhub. `docker pull nofusscomputing/docker-glpi:dev` + +This container is designed to be ephemeral with all data residing within docker volumes. Outside of this container, the only reqirements is hard disk space and a MySQL/MariaDB database. + + +## Features + +To see a full list of changes/features see the [changelog](https://gitlab.com/nofusscomputing/projects/docker-glpi/-/blob/development/CHANGELOG.md). + +- Data Volumes for _(relative paths are for glpi www root, `/var/www/html`)_ + + - `config/` + + - `data/` + + - `files/` + + - `plugins/` + + - `marketplace/` + + - `/var/log/` + +- Inventory endpoints only available with use of feature flag + +- Container health check reports for all services (apache, cron, supervisord) + +- GLPI cron script scheduled within container cron. _See notes below._ + +- GLPI WWW root setup under `public/` + + +## Cron + +Cron is installed as part of the image and runs automagically on container start. GLPI cron script is also scheduled to run every minute. However for GLPI to use the CLI cron, you must configure it. + +Once GLPI has been setup and configured: + +1. navigate to `Setup -> Automatic Actions` + +1. select all items in the list + +1. click the `Actions` button + +1. select `Update` + +1. select `Run Mode` + +1. select `CLI` + +1. click `Submit` + +Now GLPI will use the CLI cron script to run automagic actions. + + +## Inventory + +It is posssible to use the inventory features available within GLPI, however by default access to the endpoints is disabled and behind a feature flag.The image by default will return HTTP/404 for the following paths: + +- `plugins/fusioninventory/` fusioninventory + +- `front/inventory.php` Native (non-GlpiInventory plugin) + +- `marketplace/glpiinventory/` GlpiInventory plugin (Marketplace installed) + +- `plugins/glpiinventory/` GlpiInventory plugin (plugin folder installed) + +To enable an inventory endpoint, using the values above, set environmental variable `GLPI_INVENTORY_PATH` when launching the container. i.e. to use GLPI native inventory `GLPI_INVENTORY_PATH=front/inventory.php`. on launching the container with this variable set, that endpoint is available for use for the inventory feature of GLPI. + +!!! tip + when using either `marketplace/glpiinventory/` or `plugins/glpiinventory/` as the inventory path you are required to prepend `index.php` to the end of the `server` directive in `agent.cfg`. i.e. `server = https://my-glpi-server/plugins/glpiinventory/index.php` + +!!! warning + It is strongly advised that when using the inventory features of GLPI, that the endpoints be configured for client authentication. + + +### Client Authentication + +Due to the limitations of the inventory agents, mTLS is not available so HTTP Basic Authentication is configurable. by default, when you set the environmental variable `GLPI_INVENTORY_PATH` HTTP basic auth is enabled by default. To configure the users follow these steps: + +1. run command from within the container `htpasswd -c /apache-passwd-glpi-inventory {Username to create}` + +1. enter the password and confirm when prompted + +1. configure the `user` and `password` entries in the `agent.cfg` file. + +!!! tip + Ensure you limit the permissions on the `agent.cfg` file as it contains a password in clear text. Only the user the agent is run as requires access and you are encouraged to limit to that user only. + +!!! warning + HTTP Basic authentication is inherently insecure. to overcome this shortfall, ONLY use HTTP Basic Auth over a secure connection _(https)_. + + +## Running the container + +To quickly setup a container the following `docker-compose.yaml` file could be used. + +``` yaml title="docker-compose.yaml" linenums="1" +version: "3.2" + +services: + + + mariadb: + image: mariadb:latest + container_name: mariadb + hostname: mariadb + volumes: + - /opt/mysql/mysql:/var/lib/mysql + environment: + - MARIADB_ROOT_PASSWORD=******** + - MARIADB_DATABASE=glpi + - MARIADB_USER=******** + - MARIADB_PASSWORD=******** + restart: always + + + ingress: + image: nginx:latest-alpine + container_name : ingress + hostname: ingress + ports: + - "80:80" + - "443:443" + volumes: + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + - /opt/ingress/conf.d:/etc/nginx/conf.d:ro + - /opt/ingress/http:/http:ro + - /opt/ingress/ssl:/ssl:ro + environment: + - TIMEZONE=UTC + restart: always + networks: + - ingress + - default + + + glpi: + image: nofusscomputing/docker-glpi:dev + container_name : glpi + hostname: glpi + ports: + - "80:80" + volumes: + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + - /opt/glpi/plugins:/var/www/html/plugins + - /opt/glpi/files:/var/www/html/files + - /opt/glpi/config:/var/www/html/config + - /opt/glpi/marketplace:/var/www/html/marketplace + environment: + - TIMEZONE=UTC + - GLPI_INVENTORY_PATH=/plugins/glpiinventory/ + restart: always + networks: + - default + + +volumes: + data_mysql: + + +networks: + default: + external: no + ingress: + external: yes + +``` diff --git a/docs/projects/index.md b/docs/projects/index.md new file mode 100644 index 0000000..e69de29 diff --git a/docs/tags.md b/docs/tags.md new file mode 100644 index 0000000..e69de29 diff --git a/docs/task-doc-template.md b/docs/task-doc-template.md new file mode 100644 index 0000000..ade9fcd --- /dev/null +++ b/docs/task-doc-template.md @@ -0,0 +1,87 @@ + + +short summary of the task file + +## {Task Name} + +- **Name**: + +- **Description**: + +- **Module**: + +- **Arguments**: + + - + +- **Conditional**: + +- **Tags**: + + - + +## {Task Name} + +- **Name**: + +- **Description**: + +- **Module**: + +- **Arguments**: + + - + +- **Registers**: + +- **Conditional**: + +- **Tags**: + + - + + +## Variables + +The following variables can be customized in this task file: + +```yaml +variable_name: "default_value" +``` + +- `variable_name`: Description of the variable. + +## Tags + +The tasks in this task file are tagged with the following tags: + +- + +## Usage + +To use this Ansible task file, you can include it in your playbook or role and provide values for the required variables. Here's an example of how you can use this task file: + +1. Create a playbook (e.g., `your_playbook.yaml`) and define the necessary variables: + +```yaml +--- + +- hosts: your_hosts + vars: + variable_name: "value" + + tasks: + - include_tasks: path/to/task_file.yaml +``` + +2. Create a separate file for the task file (e.g., `task_file.yaml`) and copy the content of the task file into it. + +3. Run the playbook: + +```shell +ansible-playbook your_playbook.yaml +``` + +Make sure to replace the placeholder values (`variable_name`, `value`) with the appropriate values for your setup. + +Note: You may need to adjust the playbook structure and additional tasks based on your specific requirements and the tasks you want to execute. \ No newline at end of file diff --git a/includes/etc/apache2/sites-available/000-default.conf b/includes/etc/apache2/sites-available/000-default.conf index 7d65c16..1257317 100644 --- a/includes/etc/apache2/sites-available/000-default.conf +++ b/includes/etc/apache2/sites-available/000-default.conf @@ -1,15 +1,62 @@ DocumentRoot /var/www/html/public + + + + + + + AuthType Basic + AuthName "Restricted Access" + AuthUserFile /apache-passwd-glpi-inventory + Require valid-user + + + + + + + + + Require all granted RewriteEngine On + + # Paths: + # Reference: https://glpi-agent.readthedocs.io/en/latest/configuration.html + # - fusioninventory: /plugins/fusioninventory/ + # - Native (non-GlpiInventory plugin): /front/inventory.php + # - GlpiInventory plugin (Marketplace installed): /marketplace/glpiinventory/ + # - GlpiInventory plugin (plugin folder installed): /plugins/glpiinventory/ + # NOTE: for glpi inventory index.php must be prepended to path so that GUI can still be accessed. + + # Don't provide access to inventory on these paths + # ToDo: add inventory path for /plugins/fusioninventory/ + + RewriteCond %{ENV:GLPI_INVENTORY_PATH} !/front/inventory.php + RewriteCond %{REQUEST_URI} ^/front/inventory.php$ + RewriteRule ^(.*)$ - [R=404,NC] + + RewriteCond %{ENV:GLPI_INVENTORY_PATH} !/plugins/glpiinventory/ + RewriteCond %{REQUEST_URI} /plugins/glpiinventory + RewriteCond %{REQUEST_URI} !/plugins/glpiinventory/front/ + RewriteRule ^(.*)$ - [R=404,NC] + + RewriteCond %{ENV:GLPI_INVENTORY_PATH} !/marketplace/glpiinventory/ + RewriteCond %{REQUEST_URI} /marketplace/glpiinventory + RewriteCond %{REQUEST_URI} !/marketplace/glpiinventory/front/ + RewriteRule ^(.*)$ - [R=404,NC] + + RewriteCond %{REQUEST_FILENAME} !-f - RewriteRule ^(.*)$ index.php [QSA,L] + ErrorLog /var/log/apache2/error-glpi.log LogLevel warn CustomLog /var/log/apache2/access-glpi.log combined + \ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml new file mode 100644 index 0000000..318e4c2 --- /dev/null +++ b/mkdocs.yml @@ -0,0 +1,30 @@ +INHERIT: website-template/mkdocs.yml + +docs_dir: 'docs' + +repo_name: Docker GLPI +repo_url: https://gitlab.com/nofusscomputing/projects/docker-glpi +edit_uri: '/-/ide/project/nofusscomputing/projects/docker-glpi/edit/development/-/docs/' + +nav: +- Home: index.md + +- Articles: + + - articles/index.md + +- Projects: + + - projects/index.md + + - GLPI Docker: + + - projects/glpi/index.md + + +- Operations: + + - operations/index.md + +- Contact Us: contact.md + diff --git a/website-template b/website-template new file mode 160000 index 0000000..992b548 --- /dev/null +++ b/website-template @@ -0,0 +1 @@ +Subproject commit 992b54805b8b6c78a3d2a5ea7de71c7be2b070c8